MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 16 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae
SHA3-384 hash: 872400d88c8e301de2f842d9709b5cdebb59c62e1811101404107f76912bcb39f869683eba0c530d487a262e466d602e
SHA1 hash: fb787a5342ec9a517708e4f016ade498c16fdebb
MD5 hash: ac2dbded9c5d5c310cf5334e8598f8ea
humanhash: nebraska-neptune-yankee-cola
File name:ac2dbded9c5d5c310cf5334e8598f8ea
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'968'112 bytes
First seen:2024-01-28 03:23:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:UxfN2vn8OVuWITO9mdNCHFErDiPJ8n/AGBwJmrnXS4fMgUVTdAz:UxwP8OVuWITO9mOHWnBYG2mDuaz
Threatray 380 similar samples on MalwareBazaar
TLSH T1F395F104161D4A13F2552334D4BFE3321661EE7A99E2871796C0BC3B743E2AF3EB1696
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f08e9686dad89ac4 (5 x zgRAT, 4 x PureLogsStealer, 3 x Amadey)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae.exe
Verdict:
No threats detected
Analysis date:
2024-01-28 03:24:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7fc6fb1-4da3-415a-af8f-c466e3f37923

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473228/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Creating a file in the %AppData% directory
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65b5c8d3f9733b1319ac7704/reports/c8920a1c-ced7-43fb-a348-f1e506cfeaee/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fdea0f54-9cf8-4b7f-ba08-d6d87259f9b7
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382215
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to prevent local Windows debugging
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1382215 Sample: t9vh2Q7dR2.exe Startdate: 28/01/2024 Architecture: WINDOWS Score: 100 41 ytmodsupport.com 2->41 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected PureLog Stealer 2->49 51 5 other signatures 2->51 8 t9vh2Q7dR2.exe 1 2->8         started        11 start.exe 1 2->11         started        signatures3 process4 signatures5 53 Drops PE files to the startup folder 8->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->55 57 Injects a PE file into a foreign processes 8->57 13 t9vh2Q7dR2.exe 4 8->13         started        17 WerFault.exe 2 8->17         started        19 t9vh2Q7dR2.exe 8->19         started        23 3 other processes 8->23 21 start.exe 11->21         started        process6 file7 37 C:\Users\user\AppData\Roaming\install.exe, PE32 13->37 dropped 39 C:\Users\user\AppData\Roaming\...\start.exe, PE32 13->39 dropped 67 Writes to foreign memory regions 13->67 69 Allocates memory in foreign processes 13->69 71 Injects a PE file into a foreign processes 13->71 25 RegAsm.exe 44 13->25         started        73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->73 29 WerFault.exe 21 21->29         started        31 WerFault.exe 21 21->31         started        33 RegAsm.exe 21->33         started        35 WerFault.exe 21->35         started        signatures8 process9 dnsIp10 43 ytmodsupport.com 179.43.170.230, 443, 49730, 49731 PLI-ASCH Panama 25->43 59 Query firmware table information (likely to detect VMs) 25->59 61 Contain functionality to detect virtual machines 25->61 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->63 65 2 other signatures 25->65 signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-01-27 23:40:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3afyy3chmazmffldvopkm7zlgouf7qyo46r3ewldswm52aj2kxa._file
Verdict:
malicious
Similar samples:
2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540
PureLogsStealer
3673fd28dc25cb26f8dad4aba5a280797cc5879e62bb064fa7d3e2bfb48b603b
PureLogsStealer
630125600827517bdac89201143ee892721fcbe75439d5462f87297226d53c0c
PureLogsStealer
9749e1e9a73aa3bad510d2bde35e011e00283aa46443ad86ade820b560ade944
PureLogsStealer
ae16c9b0453f3cd9829140adcf38934bc8e2497373e1f3ff486c351ae5b1118e
PureLogsStealer
e0d6fe1659965a09e2ddab62be3e33f49fac580bccac65d97fc319ffd4f4af13
PureLogsStealer
f98cf9ee6e3f42fe35ec570b4728ecd65929ba24ba4c090c3b438c8de4677cc8
PureLogsStealer
+ 370 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240128-dx2jtsbhem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Drops startup file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
941c1e9d8aee36010a0cbf63ff2bcca9059eebfb816f13d3415233a8c022b89c
MD5 hash:
b999557d997ea340edd86203505f096a
SHA1 hash:
37ff4ed118286d8e6d0b6815d4e4ce53979d9fe4
Link:
https://www.unpac.me/results/23a5bdbe-a4f5-40a8-8657-ac6891f0dd58/
SH256 hash:
bd71ddd2adaff200f68372fedb46a0340559d33e59ffbd2de4082ef176590481
MD5 hash:
e9d603f848f2f2599e41a8b45a793d22
SHA1 hash:
f361706bd98798c40ba99bfef29084b040b40ab0
Link:
https://www.unpac.me/results/23a5bdbe-a4f5-40a8-8657-ac6891f0dd58/
SH256 hash:
425caf8036da550c8be9efc5c35c81b6651bc6d4edfc6e5a7671b348aea57c4f
MD5 hash:
97c2ba454d409c70e8dea78060b0835a
SHA1 hash:
d0eb1cbdd0f897717b6dbbde1aaef9944fe2a3a8
Link:
https://www.unpac.me/results/23a5bdbe-a4f5-40a8-8657-ac6891f0dd58/
SH256 hash:
ef1bd5d97635747ab718fc2ff1753a55e1a208688e987b2f933ed939174f0b6f
MD5 hash:
9bffe505ed91d358bdb44e51e2176e35
SHA1 hash:
963a3b3e50d4caf20f474c7f87069536b6fcc567
Link:
https://www.unpac.me/results/23a5bdbe-a4f5-40a8-8657-ac6891f0dd58/
SH256 hash:
99e00f3da219ca6f48a69a57780dafb0a75ae9ce38c9961af667275c948f4741
MD5 hash:
f62e1f1056dc0b78f87f17a3435fab2d
SHA1 hash:
0e8d710f50f84482d2665b04f981ff016c8e163c
Link:
https://www.unpac.me/results/23a5bdbe-a4f5-40a8-8657-ac6891f0dd58/
SH256 hash:
a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae
MD5 hash:
ac2dbded9c5d5c310cf5334e8598f8ea
SHA1 hash:
fb787a5342ec9a517708e4f016ade498c16fdebb
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/23a5bdbe-a4f5-40a8-8657-ac6891f0dd58/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6c05c63623b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473228/
  
URLhaus
https://urlhaus.abuse.ch/url/2752487/

Comments


Avatar
zbet commented on 2024-01-28 03:23:41 UTC

url : hxxp://185.196.10.146/GTALaunchUpdate2.4.exe